Home Forums OS X Server and Client Discussion Active Directory Problems with AD Windows users

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • November 27, 2003 at 8:08 pm #356980
    tycho
    Participant

    Hi,
    we have tried to get a Xserve to co-operate with Active Directory, but have run into a problem.

    First of all we installed a test server. Made the configurations in the DNS, bound it to active directory, put the Xserve as a WINS client, started the Windows services. Everything worked as expected.
    Windows users could double-click the Xservers icon and were logged in automatically.
    Mac users could log in via AFP or SMB without problems

    The we made a clean 10.3 install on the xserve and configured it in exactly the same way, except for ip and name. (Btw all names are in small letters).
    Logging in from a Mac works ok (via AFP and SMB) but trying to log in from a Windows machine that is part of AD gives this error:
    \\xserve is not accessible.
    The account is not authorized to log in from this station.
    (xserve is the name of the server)
    Logging in from the same Windows machine using ip number works without problems.
    But using \\xserve or \\xserve.domain.com give the same error.

    Any ideas what might be the problem?

    Tycho

    December 3, 2003 at 9:55 pm #357010
    tycho
    Participant

    I checked the valuse for
    workgroup ( = THEDOMIAININUSE)
    security = domain
    and added
    password server = xxx.xxx.xxx.xxx (ip number of the AD server)

    But that didn’t help.

    Somebody gave me a hint that it might be WINS related, but I have no clue where to go from here.

    Tycho

    December 5, 2003 at 9:54 pm #357015
    Anonymous
    Participant

    I had the exact same problems with the AD integration. The problem was that OS X can see the users fine via LDAP/AD but when a windows user accesses the shares, OS X must be capable of seeing the Kerberos Tokens and compairing them to the LDAP users and groups. Here are a few hints:

    – If you have an empty root in your AD domain, use the ROOT for the Kerberos Realm
    – Make sure you have a user called ‘root’ in your active directory domain with the same password as the root (administrator) user on the OS X Box
    – from terminal you need to type “kinit root” to establish the inital kerberos cache

    To test if kerberos is working properly type “Klist” from terminal, you should see a list of tokens from your AD realm. If you do not, it is not working properly.

    December 5, 2003 at 10:14 pm #357016
    Anonymous
    Participant

    Being new to AD and Kerberos I am not exactly sure what this means:
    “- If you have an empty root in your AD domain, use the ROOT for the Kerberos Realm”.

    January 15, 2004 at 8:19 pm #357226
    Anonymous
    Participant

    I don’t think this is necessary

    typing
    [code:1:4fb40daa86]kinit [email protected][/code:1:4fb40daa86]
    should do the trick

    February 11, 2005 at 9:58 pm #360692
    Anonymous
    Guest

    i am having the same exact problem. did anyone have a solution. or even better does anyone know of one piece of literature that covers (like a typical how-to) how to add a x-serve to an environment running osx and have windows boxes use ad to authenticate. the documentation that apple has is crap and i can’t find a single document that covers everything!

    February 14, 2005 at 10:55 am #360696
    s_groening
    Participant

    try reading this document that I have posted here earlier….

    Mac OS X single sign-on with Active Directory

    It sshould give you a pretty straight forward way of getting this to work properly (single sign-on) for both Mac and Windows users.

    Regards,

    Søren Grønning

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.